MalwareTech

How to Accidentally Stop a Global Cyber Attacks

So finally I’ve found enough time between emails and Skype calls to write up on the crazy events which occurred over Friday, which was supposed to be part of my week off (I made it a total of 4 days without working, so there’s that). You’ve probably read about the WannaCrypt fiasco on several news sites, but I figured I’d tell my story.

I woke up at around 10 AM and checked onto the UK cyber threat sharing platform where i had been following the spread of the Emotet banking malware, something which seemed incredibly significant until today. There were a few of your usual posts about various organisations being hit with ransomware, but nothing significant…yet. I ended up going out to lunch with a friend, meanwhile the WannaCrypt ransomware campaign had entered full swing.

When I returned home at about 2:30, the threat sharing platform was flooded with posts about various NHS systems all across the country being hit, which was what tipped me of to the fact this was something big. Although ransomware on a public sector system isn’t even newsworthy, systems being hit simultaneously across the country is (contrary to popular belief, most NHS employees don’t open phishing emails which suggested that something to be this widespread it would have to be propagated using another method). I was quickly able to get a sample of the malware with the help of Kafeine, a good friend and fellow researcher. Upon running the sample in my analysis environment I instantly noticed it queried an unregistered domain, which i promptly registered.

Using Cisco Umbrella, we can actually see query volume to the domain prior to my registration of it which shows the campaign started at around 8 AM UTC.

While the domain was propagating, I ran the sample again in my virtual environment to be met with WannaCrypt ransom page; but more interestingly was that after encrypting the fake files I left there as a test, it started connecting out to random IP addresses on port 445 (used by SMB). The mass connection attempts immediately made me think exploit scanner, and the fact it was scanning on the SMB port caused me to look back to the recent ShadowBroker leak of NSA exploits containing….an SMB exploit. Obvious I had no evidence yet that it was definitely scanning SMB hosts or using the leaked NSA exploit, so I tweeted out my finding and went to tend to the now propagated domain.

Sample I found scans SMB after dropping WannaCrypt. Can anyone confirm it's the same thing? P2P spreading ransomware would be significant. pic.twitter.com/zs5Td4ovvL

Now one thing that’s important to note is the actual registration of the domain was not on a whim. My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I’m always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year.

Our standard model goes something like this.

Look for unregistered or expired C2 domains belonging to active botnets and point it to our sinkhole (a sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them).

Gather data on the geographical distribution and scale of the infections, including IP addresses, which can be used to notify victims that they’re infected and assist law enforcement.

Reverse engineer the malware and see if there are any vulnerabilities in the code which would allow us to take-over the malware/botnet and prevent the spread or malicious use, via the domain we registered.

In the case of WannaCrypt, step 1, 2 and 3 were all one and the same, I just didn’t know it yet.

A few seconds after the domain had gone live I received a DM from a Talos analyst asking for the sample I had which was scanning SMB host, which i provided. Humorously at this point we had unknowingly killed the malware so there was much confusion as to why he could not run the exact same sample I just ran and get any results at all. As curious as this was, I was pressed for time and wasn’t able to investigate, because now the sinkhole servers were coming dangerously close to their maximum load.

I set about making sure our sinkhole server were stable and getting the expected data from the domain we had registered (at this point we still didn’t know much about what the domain I registered was for, just that anyone infected with this malware would connect to the domain we now own, allowing us to track the spread of the infection). Sorting out the sinkholes took longer than expected due to a very large botnet we had sinkholed the previous week eating up all the bandwidth, but soon enough I was able to set up a live tracking map and push it out via twitter (you can still see it here).

Around 6:23 PM (BST) I asked an employee to look into the worm code and verify the domain we registered would not change (some malware will periodically change the domain using an algorithm, so we needed to know if there would be new domains so we could register those too), meanwhile I performed some updated to the live map to deal with the rapid influx of new visitors.

After about 5 minutes the employee came back with the news that the registration of the domain had triggered the ransomware meaning we’d encrypted everyone’s files (don’t worry, this was later proven to not be the case), but it still caused quite a bit of panic. I contacted Kafeine about this and he linked me to the following freshly posted tweet made by ProofPoint researcher Darien Huss, who stated the opposite (that our registration of the domain had actually stopped the ransomware and prevent the spread).

Having heard to conflicting answers, I anxiously loaded back up my analysis environment and ran the sample….nothing. I then modified my host file so that the domain connection would be unsuccessful and ran it again…..RANSOMWARED.

Now you probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me. The failure of the ransomware to run the first time and then the subsequent success on the second mean that we had in fact prevented the spread of the ransomware and prevented it ransoming any new computer since the registration of the domain (I initially kept quiet about this while i reverse engineered the code myself to triple check this was the case, but by now Darien’s tweet had gotten a lot of traction).

So why did our sinkhole cause an international ransomware epidemic to stop?

Talos wrote a great writeup explaining the code side here, which I’ll elaborate on using Darien’s screenshot.

All this code is doing is attempting to connect to the domain we registered and if the connection is not successful it ransoms the system, if it is successful the malware exits (this was not clear to me at first from the screenshot as I lacked the context of what the parent function may be doing with the results).

The reason which was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.

In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).

I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because WannaCrypt used a single hardcoded domain, my registartion of it caused all infections globally to believe they were inside a sandbox and exit…thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware. Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.

One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly importiant that any unpatched systems are patched as quickly as possible.

As well as the names & companies mentioned in this blog I’d like to give a shout out to:

NCSC UK – Their threat intelligence sharing program provided us with valuable information needed to first identify the malware family behind the attack. They also helped ensure our sinkholes were not mistaken for criminal controlled infrastructure so that we could feed them the information required to notify UK victims.

FBI & ShadowServer – They were a great help in getting non-UK victims notified of the infections in a very short span of time, even if it did mean me staying up all night to link in with them.

Microsoft – By realeasing an out of bounds patch for unsupported operating systems such as Windows XP and Server 2003, people now are able to patch rather than having to attempt upgrades to newer system in order to be secured against this worm.

If you have anything to patch, patch it. If you need a guide, this one is being reguarly updated: https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware

By realeasing an out of bounds patch for unsupported operating systems such as Windows XP and Server 2003, people now are able to patch rather than having to attempt upgrades to newer system in order to be secured against this worm.

Adam Dunlop

Thank you for your great work to stop this attack. How many hits on the domain now?

The media are dead wrong calling you an ‘Accidental Hero’, you are a professional and this was great work, well done!

Mike K

AGREED! Accident my @$s. Nicely done.

motrek

Of course it was an accident. When he registered the domain, he didn’t think “hey, this’ll stop the worm!” Hence accident.

Greg Martin

I think it’s an unconscious assumption that the writer of the article is male. I’ve gotten better over time at noticing such implicit bias within myself, but we still fall into that trap sometimes….

Michael

Well, no, it’s a simple case of reading the article carefully and noting that he says his gender

Thistle_Weed2 ✓ᵛᵉʳᶦᶠᶦᵉᵈ ᵀʳᵘᵐᵖ

/facepam

as a women, I say please shut up. beyond silly bringing that gender nonsense into a serious conversation and frankly insulting.

ivo kostić

what’s serious about some moron clicking random thing on the web and infecting machine(s) with other holes that let virus spread?
i think it’s rather funny who qualifies to work at those infected institutions. perhaps they got there via affirmative action? minorities and women first? that will yield tech. expertise in no time!
it’ also speaks a lot about people running those networks, regardless of their sex. and american intelligence agencies.

and as a woman, ask yourself who created this “any gender can do anthing” attitude…i inspected ‘nhs digital’ twitter, 100% of woman there don’t have a clue what’s happening…and most men…and most media…post-truth society…heh…makes you wannacry….

Wilhelm Cruel

hey, as a women[sic!] why do you think it is about gender for him, maybe he is still sad because he couldn’t find a boo in his field because bitches rather let nerds install their apps than to learn highclass brainiacstuff. it is not about bragging about gender stuff we all know engineers have no gender they have male and female connectionparts… but there is way to few female connectors in the biz, so if a guy overreading the only he in a mile long text confuses unconciously reading a he in connection to the author to be an unconcious assumtion is funny and not your white knight you can send to hell for seeming to be a white knight.

as a human we should sho decency first and foremost, there is no females on the internet so stfu manenist.

(look at muhhh bias yo suggesting a human called greg martin to be male lel, he didn’t mention it at all lel)

WolfieTWolfe

Are you a fucking illiterate?

Crystal

Well, also as a woman, I appreciate when people like Greg try to look out for these things.

Uh no. He was following a set of heuristic rules that experience has shown to be useful in disabling botnets. Nothing accidental in any way that the process he used resulted in stopping the execution of these infection instances.

If this particular step hadn’t stopped the virus there would have been further steps taken that would have eventually resulted in the same effect.

What happened was inevitable. It was just quicker than expected.

motrek

No, registering the domain could have done the opposite, i.e., triggered the malware. In fact, the author worried that he had done exactly that for a little while.

Pressed Rat and Warthog

Registering the domain is standard procedure in these cases. It is part of the process needed to take control of the botnet. Yes it can have negative effects but if you do nothing the result is guaranteed to be bad.

The following document describes the same process as used for a different virus.

If a doctor is going into a surgery to prevent something from spreading through your body and his actions accidentally cure you, he is not an​ accidental doctor. That implies he wasn’t supposed to be there trying to stop the spread in the first place.

motrek

Bad analogy. This is like a surgeon stopping an infection by injecting the anesthesia… standard procedure which serves a purpose, but produces an unintended result (at least for that action).

dragonwaz .

You’re saying my analogy is bad while giving the same analogy where the only difference is specifically saying infection.

This means we basically agree that he wasn’t an accidental helper, he was specifically there to help, but standard procedure ended up being accidentally exactly what needed to be done.

The media was running the story like he was some random samaritan who accidentally helped. He was almost treated like the criminal in the situation from what I heard.

sarah teri

DESPICABLE ME 3 4K HD >>DRAMAFEVERSERIES.BLOGSPOT.COM

AU Trainstation

if you are driving on the road and a see a lump of the road you may slow down or steer around it. If that lump turns out to be a person passed out on the road did you accidentally just prevent the death of a person or were you just being a good driver?

Im guessing trying to break down a virus takes its fair share of trail and error.
The person was following procedures to identify and resolve a virus out break.

It does demonstrate how many reporters and editors are technically and comprehensively illiterate.

“My job is to look for ways we can track and potentially stop botnets…”

“I was quickly able to get a sample of the malware with the help of Kafeine, a good friend and fellow researcher.”

“Upon running the sample in my analysis environment I instantly noticed it queried an unregistered domain, which i promptly registered.”

None of these events were accidental.

Dave

The media is filled with people who don’t do their research. This is both true in the IT world along with the firearms world. Me being involved in both. Media however LOVES buzzwords without even knowing what that word means nor use it in context correctly.

They make conclusions about things they don’t even understand or refer to a real expert in the field or multiple to get out of single sourced subjective analysis problems.

I am no total expert in either though I do know a lot, but I make my due diligience if I do write aboit a subject, I do RESEARCH vs WEBSEARCH on it to draw conclusions. I also then employ logic and personal experiences for supplimenting those conclusions if I have the experiences to draw upon.

This is why I follow people I would deem as experts in the field, to learn more about what we come across, to ask questions, and to constantly learn.

This is why I follow the Malwaretech crew and others like them in security and forensics.

Malwaretech, thank you for your service, not only for this incident, but all the research you do.

Susan O’neill

Well said Dave. Whilst I struggled to follow the report on his progress, it would seem that he is connected to people who can offer a service and using his own expertise and by a process of elimination, find the answers, but because he caught on to something very quickly(which he might easily have missed, had he not been so thorough and alert)would have allowed the worm to continue it’s travels. I think a lot of people should be very thankful to MalwareTech and his expertise – even if it does generate more business for him, it’s probably well deserved.

mamadillo

Any chance you know me personally? If you need another clue: I have the same number of dogs you do.

Aris Adamantiadis

To be fair, he said himself he thought at some point that registering the domain name triggered the ransomware instead of disabling it. The story headline would have mentioned “Security research accidentally armed a ransomware” in that case. His experience told him it was a good thing to own domains used by C&C, his luck made it that it was a kill switch. I don’t think “accidental” is undeserved in this case.
Whatever, it’s good job!

Greg Martin

I think it’s an unconscious assumption that the writer of the article is male. I’ve gotten better over time at noticing such implicit bias within myself, but we still fall into that trap sometimes.

Michael

Well, the bit where he says to picture a grown man jumping around was a clue for me.

I wasn’t unconscious when I read it though maybe that helped

Thistle_Weed2 ✓ᵛᵉʳᶦᶠᶦᵉᵈ ᵀʳᵘᵐᵖ

re; ‘implicit bias’ triggered?

men use less words to convey an idea than females, it’s how our brains (srs- it’s like proven via research etc, go on and google it) work. I completely read this as male author. As a female who works low level tech for nearly 19 yrs, I have no problem assuming it’s a male. Working women in tech don’t give 2 flips about male/female. So Greg, be a dear and don’t defend women. We can do that ourselves. keep your coat on and don’t worry about any rain puddles and helping us… m’kay?

Longtime_Geek

“be a dear and don’t defend women. We can do that ourselves”

Belittling, however kindly, those that support gender equality simply because they happen to be male, is to fall victim to the very behavior you fight against. That behavior is often called sexism, and you exhibited exactly that by condescending to men as if they can’t possibly feel as you do.

Be a dear and don’t criticize men who believe as you do, that all human beings deserve the same rights, regardless of gender.

Johnny Maple

“Be a dear and don’t criticize men who…”

Lol so basically “Yo babe, keep quiet when I’m defending you unless you’re telling me what a hero I am”

She wasn’t criticizing men; she was criticizing a specific group of them who feel the need for theatrical displays of internet-chivalry in hopes of being rewarded for their heroism with positive/grateful female attention.

Be a dear and don’t throw a trigger-tantrum when a woman has the audacity to call a wannabe Disney Prince out on his behavior instead of being a little damsel-in-distress like she should.

Longtime_Geek

It seems you may need a refresher in reading comprehension if you somehow translated my saying that men are also allowed to defend women’s rights into some “Yo babe” gibberish. Applying specific standards to any gender, by any gender is sexism – and that includes when women attempt to exclude men who support their goals from having a voice.

It really isn’t a difficult concept to grasp.

JustShootMe

Well say.

Longtime_Geek

“men use less words to convey an idea than females”

Your own gender bias is showing. Just ask the VP of the IT company I’ve worked for the last 11 years. She will tell you that no one uses more words than I do when conveying ideas. I started in IT in 1974, and I learned long ago that clarity is important, especially when attempting to convey ideas that are new to the listener. I describe myself as verbose. She prefers the term “wordy bastard,” which is close enough for me.

BTW, 42% of our employees are women, including 1/3 of the IT support techs.

Cheri Bittikofer

I think it is cool that we are not judged by our looks, gender, race etc when we are using our brains in tech discussions and only our words are seen.

Limi

If a study shows that men use fewer words in 70% of cases, it is also showing that they use more in 30%. You using more words than your boss doesn’t disprove that, or mean trusting the study is bias.

You fell into the same trap with the ‘be a dear’ business – thistle was not addressing all men, she was addressing one particular man. She was not belittling him for being a man, or for ham-fistedly supporting gender equality, she was belittling him for making a stupid comment. If he had simply been pushing people to check their implicit bias, she could be called sexist, but given that he was doing so beneath a blog post that clearly stated the author’s gender, and given she even singled him out by name, it is unreasonable to believe she means no man can ever help women. Or were you belittling all women who disagree with shoving gender politics into everything when you said ‘be a dear’ to her?

And even if she was addressing all male feminists, you would still be out of line. Johnny’s obviously hyperbolic comment was pointing out the ridiculousness of insisting women must allow men to help them or else they are being sexist. It’s a total contradiction, how can a woman be equal to a man if she can’t gain that equality in her own? Do you also believe black people would never be free without the white man’s help?

Longtime_Geek

Speaking of “out of line,” exactly how did you manage to conflate my statement about gender generalizations as a comment about racial inequality in America? But to answer your question, human history clearly demonstrates that inequality of any sort is only mitigated when the oppressors stop oppressing.
The change in how we treat LGBT issues is only one of several recent examples that show that, as the central demographic ages and fades away, human mores change faster and faster.
Once a majority of the members of any society stop getting in the way of change, that change begins to accelerate. This is true when it comes to race, gender, sexuality, income equality, religion, nationality or any other societal divide.

You can phrase it any way you like, but until the pressure to deny basic rights is superseded by the pressure to treat all as equals, oppression will remain.

Limi

I didn’t conflate anything, I used a similar but morally clearer situation to show you the flaw in your argument. Well, that’s what I thought would happen, but you apparently do think ‘the white man set them free’ is a legitimate argument, so we’re done here.

Longtime_Geek

Since I never said anything like that, and as a matter of fact I responded by wondering just how you got that impression from my original comment, you’re right – we’re done.

Cerberus

Irrelevant

Steven Singer

He said in the article “Now you probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me.”

I think its safe to assume he’s a male.

I really hope you’re a troll and not a SJW douche.

Wilhelm Cruel

well he set up an experiment, “accidentally” killed the virus in doing so, let the experiment produce the data, read said data, found out how to kill the virus, was confused by a second opinion, reasured by a third, tested then for his opinion to be valid another time, concluded that the setup was the right thing to do. the only thing really accidental here is the people not understanding that programming basically is math, and as thus pretty darn readable, for people who aren’t illiterate, of which there basically are none with a working brain, but hey, we all can pretend to be stupid when we truly are just not that interested.

science works that way, we know that an experiment can change the outcome of said experiment, it has been mathematically proven, now even empirically besides mathematically twice. that is the real accident here because heck he didn’t know he was going to empirically prove the heisenbergsche unschärferelation to be true. he did know that his experiments would most certainly lead to a decision about his assumptions, which they did so nothing accidental about that. it is like opening schrödingers box to be surprised to see a dead cat.

Susan O’neill

I assume you mean his MO in tracking and identifying any miscreant doings was deliberate, but he does state that it was his good fortune in triggering a default response which in a way, is as he stated – accidental, as opposed to deliberate.

Michael

Well of course.

The accident was the (at the time) unknown consequences of registering the domain which happened to be fortuitous.

Todd Crawford

The stories I have been reading are really ramping up the hype. Lots of misinformation. The current scare tactics are implying that when people go to work tomorrow they may be in for a surprise.

RiverKing

Self-effacing humility from someone who clearly doesn’t need the approval of wannabes.

greggreen29

I can’t believe how stupid journalists are. “My job is to look for ways we can track and potentially stop botnets…”

Maybe journalists are so technically deficient that everything involving PCs is accidental.

motrek

The “accident” is that an action the author took had an unintended effect. In this case the effect was desirable (a happy accident), but if it wasn’t, nobody would be arguing about the use of the word “accident.”

It might not be the ideal word for what happened but I’m struggling to think of a better one.

GreatLakeSailor

serendipitous

Jelise

Serendipitous still implies that it was an unintended result, and as such, it still happened by accident. There’s a reason why a serendipitous and accidental are considered synonyms.

GreatLakeSailor

Serendipitous = happy accident/beneficial accident

Jon Du Puy

WELL PUT!!!! AQND YES CONGRATULATIONS MalwareTech!!!!! 6 STARS!!!!

LONG LIVE THE SINK HOLE— HOPE YOU GOT THAT WELL DESERVED SLEEP. CHEERS

Patrick Sletvold

It might have been accidental, but it was still professional done to register the domain before investigating what it actually does in the code.

Tien Phan

Accidental or not, he definitely puts in lots of work here. Thank you very much!

gjnance

how-to-accidentally-stop-a-global-cyber-attacks.html

Note that I agree; no accident, but you can see where “the media” might get such an idea.

Chloé, a fragile young woman, falls in love with her psychoanalyst, Paul. A few months later she moves in with him, but soon discovers that her lover is concealing a part of his identity.

JAMES PLUNKETT

Legend !

John Steel

Nice job! Thanks for the write up. 🙂

Matt

Squeaky bum moment when you thought your domain registration had triggered the payload, hats off for following your instinct!
Hope people appreciate what you’ve done, thanks!

Bala Dutt

Very interesting and thanks for doing this.

leroy

n1

Mark Hunt

Great job. Our premiter defences stopped us getting hit, but information that great folks like you provide is key to helping us maintain defences and make sure deffence efforts are co-ordinated affectively.

thuo63

You is got skills blud. Respect.

Halo

well done indeed

Marcie Ashford

Thank you for saving the day for many, many people

Todddds

This outcome was a direct result of your extraordinary efforts and obvious long term experience. Your competence and dedication is a credit to yourself, your company and IT pros everywhere. The media, since they are only good for parroting, can’t fathom a creative individual making a difference, so they belittle your contribution as “accidental.” All discoveries are accidental, and the result of diligent efforts such as yours. It’s not like you logged onto Facebook and accidentally discovered the answer while browsing cat pictures. I’ve never heard of your blog before today and will be paying attention to your missives as this is news I can use in support of my clients. Thank you.

Read from this great find in a German newspaper.
I think “accidently” is totally wrong since you looked into the code, set up the environments, did tests etc.

I like this read. Not being a professional (more an “advanced user”) many of those blogs are just too much for me. This one was a pleasure and understandable for every non-programmer!

Cloudmonkey98

The accident was in the fact that registering the domain did more then just snag control, since at the time his only info was that they were reporting to this unused domain, and since most botnets do some sort of thing like that, he snagged it like normal, he’d no clue or expectation that doing so would almost literally crash the malware, it was a happy accident that it was such a powerful effect, rather then just being a dumping ground into the sinkhole for pings and possibly other info

I agree, it was simple and well written, and even I could understand it

violettaglass

Good job and an interesting read.

leov

This is incredible – great work!

Toor

Haahaa! So shitty ISP who modify nonexistent Domain DNS replys with an ip of an advertising host protected accidently against this malware – very funny

I didn’t get why they were trying to query an unregistered domain.
Is it just to check if the malware is in sandbox mode?

Aaron Walker

“I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis”

Basically yes it’s just poorly thought out method, if it had used random urls generated then it would still be going.

Why is Russia so lit up on the infection heat-map?
You’d think a place so security-paranoid and rights-deprived would be keeping its stuff fully updated and patched (or else).
Or are they all still running XP?

jasperwillem

Maybe they simply have no auto updating / patching due to the fact that a lot operating systems are not on official licenses.

kort3x

My man!

Torsten Guttenberger

So much to comment on about this mess- NSA, unpatched systems, the morons who set this in motion, and people like you who fight the good fight. Thank you AH!

CISO Central

Are you able to release the sinkhole domain name? Also, the sites to which the initial infection goes to download the real payload? We’d like to check perimeter proxies and from your (excellent) description:

1. Allow connection to the ‘sandbox detector’ domain
2. Check to ensure we have no requests (which would have been blocked) out to the true payload download site(s)

CISO Central

…actually, our proxy will respond to the request to the ‘sandbox detector’ domain just to say connection isn’t permitted, but as far as the malwarte if concerned, it’s got an http response and so it will still shut itself down. It doesn’t need to get to the domain, it just needs to get any http response at all. But knowing the location(s) of the real payload would be good to enable a check of logs

Whoever the public-spirited mastermind of the NSA hack/leak, allowing a state-level sophisticated bunch of code to get thus weaponized needs to be brought before an international criminal court.
Putin, look at your karma on the infection heat-map. This is your conscience speaking…

greggreen29

It’ll be interesting to see what happens with this. Based on what’s in DC so far, including the Deep State, I expect little.

I think it’ll take other governments to get DC moving. But if other governments are more excited about what the NSA shares with them, maybe the status quo will continue.

dannyR

I imagine a quiet call from the Kremlin for Russian enterprises to update their aging XP. Also a few people taken down into the Kremlin basement to get a bullet in the head and an unmarked grave.

As for the NSA and CIA etc. They should just stop outsourcing. Everything. Full stop.

Susan O’neill

Putin? How about your idiot CIA/FBI/MI5 tossers, who only think they know it all. The US and UK have been spying on Russia as long as Israel has been spying on them – a bloody long time. Then there are the pranksters who are often cleverer than those cum laude experts. Then there are the likes of Killary Clinton being “careless” yeah right, that’s one word for her treasonous activity which opened the door to anyone and everyone, had they but known what she had been doing. But hey – let’s blame the Russians for everything because unreasoning bigotry is just such fun and stupidity goes hand in hand.

kishore kumar

My PC got affected and my files got encrypted. I haven’t created backup of my new important files. Is there any way to restore to restore the files?

Sakib Arifin

Even governments can’t unblock files. How would you?

Claudia

Even though Necurs’s intention was to evade analysis by sending probes, what makes you think it’s just for cloaking this time? I mean, from a malware developer’s point of view, the former might be a thin layer of security by obscurity. Wouldn’t a C2-triggered, global kill switch instead help mitigate bigger risks? For example, if there’s a catastrophic bug, or as a collateral in case they have leased out the malware?

dbe4876

Not my world, but fascinating read, and glad there are folks like you (and your community) out there in the battle! Thank you!

If you’ve shared it already, then I apologize, I’ve not been able to find it… Would you mind sharing the actual DNS name that is used? That might be helpful to register within private networks that do not resolve external DNS queries.

Thank you for your excellent blog. I got to sleep 5:30 this morning… I followed the wormstory unfold. Surprisingly few have payed the the ransom.

Uiqueblhats

Few just checked all 3 BTC address associated with it $26k paid in total to be exact……………not bad for 230k infections

brdlip

26k$ not bad as a sum. But it actually means 87 folks out of 230,000 infected. That’s 0.037%.
I guess Carol’s statement stays pretty correct.

Asdrubal Trombone

I understand when highly skilled professionals would be humble enough to not be seen as arrogant or selfish about their achievements. It is obvious the word “accidentally” is not the right word to be used but the reading of your article is enough to let us know a lot about the professionalism and character of the author. Very well done, sir. Cheers from Brazil!

Richlv

after you get the well deserved sleep, a few typos to fix 🙂
* registartion
* and and
* importiant

Señor in Collage

I don’t think these typos are importiant.

Nigel Jonathan Fitton

* important. Credit where credit’s due.

Phillip James

Awesome work – many, many thanks.

Norman McIlwain

You haven’t exactly saved the world, but it feels like it. 🙂

QBab Lolhead

If you think about it, he probably saved a good bunch of lives. As a result of all those hospital computers not going down because of his happy little “accident”.

2Broear

are you F*CKING serious for real at this time?

GuidedHacking

I was waiting for the SMB exploit to blow up and we got fireworks yesterday! It was awesome to be watching everything unfold in real time, very cool to see MalwareTech at the forefront of this with all the great info. Glad I followed you on twitter months ago 🙂

Maggie

I don’t understand a word I just read, but Thank You so much, I was dreading going to work on Monday, you’re my hero and no doubt to the rest of my colleagues in the NHS. 🏆🏆🏆

paleh0rse

Much respect, well done! A little bit of luck to augment obviously professional level skills never hurts! 😉

Alfonso Pérez

Well done!, so the domain registering thing was a means to stop the ransomware that the creators had in mind then?

Alfonso Pérez

Oh I just read it, yeah. I agree with others, this was due to hard work and dedication, definitely not accidental! :=)

Salvio Quiralte

Thanks you a lot!!! Operators and IT Administrators will have a chance to understand and prevent the WannaCrypt attack in their networks.
Again it has happened on old and “proprietary” protocols like SMB v1 … not designed with security in mind…. 🙁
You are a GOOD ETHICAL HACKER!!!
YOU RULES!!

can you help me please? my computer got ransomed wared about 6 months ago lost a lot of stuff, still have the files on my computer but nothing else luckly is affected as we seem to delete the program causing it

K.T.

Is there a way to “Decrypt” the messed up files? I’ve got the original (backed up) and the damaged file, but my programming skills are too rusty (I’m still in the ‘80s Borland C 1.01). It has to be a way to decipher it.

Bruce Xiong

Thanks for your great work. May I translate this article to Chinese and post it to my blog? Thank your again!

Well done mate! Now go and get your sleep… and I hope you get another whole week off work for your troubles!

LyannaStark

Thank you for sharing this with us!
And mostly a big big thank you for the work you do.
And thank you for have registered the domain!

Mabel Foster

I don’t know anything about technology, moreso malware. But what I do know is that what you did was awesome. You’ve given me hope that our world can be a safe place to live

Cloudmonkey98

Imagine a group of burglars break into a warehouse and then ping a walkie talkie, expecting nothing, when they get a response, they freak out, think someone’s onto them, and bail, the Malware does roughly the digital equivalent, using an empty website, since if it was in a closed environment for studies, the system itself is likely to respond to the ping, but when this guy registered the empty website and set it up, suddenly all the copies of malware are getting responses regardless, and freaking out and killing themselves, stopping most copies of it, and preventing further spread

Outstanding work and effort. Like one of the other gentleman on here said, you should be awarded the Nobel piece prize. You stepped up to the mark when people needed you mate, and you kept at it!, my hat goes off to you Sir! Great Work!

Peter

Just saw your Twitter account on German television. Nice job!

R B

NSA, hire the man! My hero. Great job! Thank you.

Andy Castor

Sweet work. Huge respect.

dionthefly

Please find an agent who can get your story published: it’s a page-turner! And/or a screenplay…..

Robert White

Serendipity is often the way scientists make discoveries, Malware Tech. If I were you I would let governments know that you are taking offers for graduate school in Computer Science. Oxford should be your first pick, but if MIT makes an offer you would be well advised to take it given their technological & business acumen. Clearly,
you can now call your own tune with respect to research positions in academia & government. Moreover, the Spy Agencies will likely want to employ you as well. MI6 & the NSA will most likely be knocking on your door with offers too. Pick the best offer for the most money as a rule of thumb to guide by. And never forget that the best discoveries in Science have happen by accident.
all my best to you.
RW

lyndsey

Well done genius.

Close call for many there. You may have saved lives in the hospitals.

I’m sure there will be a film about you one day. You’ll probably have a machine gun tho.

Amy

Very well done! Loved reading this. Thank you for doing what you do 🙂

Dizcuzted

Nice work on the analysis. Even nicer that it turned out to also shut down infection!

Jaden

Absolutely brilliant job, you’ve saved me a ton of work there. I’ve been checking so many of our Windows Servers for ages!

gohan

This is absolutely great! well done! I still have a question though. You mentioned: “most NHS employees don’t open phishing emails which suggested that
something to be this widespread it would have to be propagated using
another method”.

Journalists could think it’s luck (it was not, of course) you ego should not be hurt. All the smart guys in the security/IT community know you’ve done something amazing.
Not sure for the Noble price but you saved time and money (maybe lives too?) for an amazing number of people (millions?).
Great job!

Nigel Jonathan Fitton

Nobel prize.

KNOKKi

In the Netherlands many posts submitted about your work (i.a., at tweakers.net but also on national public news on television and internet), refer to a kill switch being found. Do I understand well from your info that you are not considering the domain you registered as a kill switch?

BTW Directly under the header you have introduced the tag ransowmare. Tag should be ransomware I presume…..

Cloudmonkey98

Registering the domain WAS a killswitch, but for a bit he was worried it was actually a mass trigger, the gist is that when the ransomware gets a ping on that domain, it generally thinks its on a Virtual Machine or some other set up where it gets back a ping despite the site not existing, and thusly commits suicide, probably to avoid further analysis, when the site got set up, all the pings were suddenly getting responses, which was triggering the ransomware’s response of committing suicide, despite not being in a contained set up

swattz101

So, out of curiosity, what are the chances of someone black holing the domain on their network and triggering the malware because it doesn’t think it exists? I don’t think that’s how blackholing works, but I’m not an expert. I’m assuming black holing locally would trigger the same sandboxing results, but I’m not sure.

Denis Croombs

Thanks for your hard work and great write up, you are a true pro.

Nigel Jonathan Fitton

Accident my bot… net! Respect.

Rzhtm Cuatro

Well, from my experience, in the process of analysis and root causing (identify the parts of the problem and how they interact) you need to play a bit with the variables in order to fully understand and sometimes when doing this you often get this kind of “accidents” (wiping out data, bricking HW, fixing the issue, etc).

One can probably argue that he had to analyze the code from top to bottom and then knowingly register the domain but that might take a while which is a waste of time (and in this case, more infected terminals)..

swattz101

Which is why most researches analyze malware on stand-alone systems and VMs or air-gapped malware networks.

Rzhtm Cuatro

Yes, and VMs tend to suffer those accidents. What makes me think, Shouldn’t he have done that test first? I mean, change the VM’s host file and try with and without the domain to see what happened before actually registering the domain in the internet. At least he could have saved that anxiety when thinking he triggered the ransomware and encrypted everyone’s files.

Steve Gonzales

Awesome job! Thanks for the explanation.

Paulo Otavio D. Rodrigues

Well done! Great job, man, even being accidental! 🙂

Robin Meis

I just tried running WannaCry inside a VM. Without any modifications to the host file the ramsonware encrypted all files. Using wireshark I could not monitor any DNS queries but some requests to TOR servers. The according TCP Streams contained three random looking domains each.
Any idea?

Yes it encrypted the files in the VM. The Host is running Linux, so probably safe. Also other computers where not affected as I use an isolated VLAN for these VMs. However the router allows any traffic from this VLAN to the internet. Beyond I tried to infect another Windows 7 VM without any updates (fresh installation) which did not work.

Terry s

It’s not accidental, it is serendipitous. This is also an essential ingredient of drug research, which requires knowledge, experience, hard work, etc, and a degree of good fortune, but drugs are not invented by accident. Give the man a medal. The ‘kill’ result was serendipitous, but not the contribution made.

JV

GREAT JOB, many thanks from Spain !!!

Andy Edwards

So I guess more sophisticated sinkholes will fake responses from many different IP addresses?

Dude. You’re a great programmer. Expect to be contacted by NSA soon. I wouldn’t be suprised if they call you monday asking if you want to go work for them.

Velethuil

This is testing !!

Rodolfo

Forget the gender discussion. Who cares really. What we should focus on rather is how much technology has empowered us, the good and the bad guys, to take advantage of it to achieve what our goals are. This experience reveals some bad ass tech-heads with bad intentions one one side and an even badder ass tech head getting the job done on the good side. A classic evil-good drama of the XXI century… can I have the rights to the story and film?

Mikael Nyborg

I am humbled by your achievment. This is not an “Accidental” thing at all. Worthy of a Nobel Price in Cyber Security.

Jack Bourne

How is it spreading? I own a NAS on my home network and keep getting attempted sign ins via SSH/Telnet on ports 22/23 i think and this has spammed my email inbox with 193 emails over the past day which i never have had before. I looked up a few of the IPs and they are coming from China, Mexico, Russia and South Korea mainly. In the end I decided to shut off those ports when I got home.

Jack Bourne

Also The NHS is way behind the times with there Infastructure. They seem to like to spend the money on new IT Extras like extra terminals and WiFi hotspots for patients when really they need to update there Windows Servers. I used there WiFi whilst I was visiting for 2 days and I decided to scan the network and every device on that network was visible (which is very bad) because I saw some of there Printers were being used on the Public WiFi. Su
urely if there gonna put there patient wifi out there then why haven’t they stopped guests from using port scanning tools like othher free wifi hotspots like the cloud for example?

Gustavo Segura Bernal

Respect, dude!

Simon Dean

Well done to you. Your natural instincts in this work, professionalism in being very methodical and outstanding work ethic saved us, and the day. It still goes on after the event, this blog and your news that Microsoft have released patches means I have applied them to my workplace servers at 12:30am 14/5, and can sleep more soundly. If anyone from Microsoft are reading this, *thankyou*

Many many many thanks to you once more and the collaborative community you mentioned providing valuable support. A toast indeed!

TheoremUK

came across your site on 1st may. shared the botnet map thing. 2 weeks later, i look on the bbc news, and your map is there with the NHS story. great work

I agree with every ones sentiment. This was no accident. Good job! I know your probably getting overwhelmed at this point but would love to get some pointers on hardware or even some reading suggestions from you on server builds for sink holes and isolating the analysis environment. Am self taught but never focused? Any help would be awesome.

Alister Amo

flawless.
now, let’s prepare for the second wave.
we have work 😉

Buddhika Ariyaratne

Grate Work and Excellent Description. May God Protect you.

Haile Dechassa

I don’t remember the last time I read an article/post with this kind of excitement and warm feeling. I don’t call this an accidental finding, this guy knows what he is doing and it is pure experimental work and for sure it was his lucky day. You did an awesome job and thank you for that!!

JNKs

Can someone explain in layman terms how this attack was halted using the registration of a domain name. A non techie here, so struggling with understanding this completely. Thanks for everyone’s help.

jasperwillem

The “software” that is “attacking” has been tested on the computer of the “attacker”. This test is done on a computer environment that is not connected to the internet, which can be virtual, which is called a sandbox. The attacker / tester had implemented a hard coded domain step in it, that told the attacking software it was in the test suite (think VW). The URL was not meant to be a real end point.

When the “software” was send out onto the internet, the “software” still had the hard coded domain in it. Due to the security researcher making a domain on that webadress/domain, the researcher was now the receiver of all traffic that was testing if the “software” was in the “sandbox” or not. When the software reached a new computer or “a host” and it ran the first time, it contacted the fake domain name and would execute it’s functions; ransom the computer and try to spread further. When the domain name was fake in the real world the “software” knew it was not in a test environment and had to work for real.

Now the “fake” domain is turned into a real one by the security researcher, all releases that are infecting computers or “hosts” on the internet will now think they are in “sandbox (mode)” or “test mode”; limited to the the version researched by the security researcher. By making all new infections thinking they are in test mode, they never reached the “green light” on the “host”. So, from that moment on, infected hosts / computers would not start encrypting the local files and trying to spread further to for example the (internal) network that was connected to the “host”.

JNKs

Wow, this is really great and much cleared now. Thanks much jasperwillem for taking the time to pen this down. Greatly appreciated.

KNOKKi

Hi JW, this is more or less how I understood it. But if this is the case how come that the number of infections still increases?
And what do you mean by “(think VW)”?

OK, I can understand that, but as far as I know (also referring to info on tweakers.net) a second version has not yet been found, so that cannot be the explanation.
Volkswagen parallel very nice indeed!

jasperwillem

If you filter comments on tweakers on +2 and above, you will see other versions listed a bit down.

swattz101

I haven’t seen the tweakers.net article, but assume it was written before the v2 came out.

The malware writer can make up a gibberish domain name (like “ajhdadakdahdka.com” or something) and by putting it in the “hosts” file(s) inside the sandbox, the name will resolve to an IP address. (Most systems are configured by default to consult a local “hosts” file for looking up names/IPs before asking the Domain Name Service (DNS) for the answer.) Presumably that sandbox host with that IP will run a Web server on it, so the HTTP test will ‘succeed’ and thus the malware will not throw the “detonate() switch” (see pseudo-code in the article above) to encrypt the files.

disqus_ykznXtqnuv

(here is my, simple and incomplete understanding)

The attack software checks a very random looking domain (someone posted it up above).
If it returns a response (is registered), then the attack software quits without infecting the system.
So actually registering the domain, stops the attack software, and is the ‘kill switch’.
Why this is in the attack software has led to a lot of speculation…

Cloudmonkey98

Jasper’s explanation was wordy and informative, but for those thinking tl;dr, the short and simple is that it pings an empty site, and expects no response, when it gets a response it freaks out and thinks its secretly in a sort of digital test tube and commits suicide, since sandboxes are likely to respond to pings directed at pretty much any DNS that it won’t reach, now this guy, by buying up the real world version of this site and getting it running, is causing all these infections to actually get responses, and proceed to kill themselves, stopping this batch of malware from continuing and spreading further

mamadillo

Total “civilian” here, but I know enough to recognize how talent plus perseverance generally lead to spectacular successes. Congratulations on your whomping of the Bad Guys!

Jason Scott

Thank you so much for your tireless work.

PG CodeRider

Way to go! Great write up and good work. “Accidental hero’… absolutely not!

To paraphrase Gary Player ” the harder you work the luckier you get” appears appropriate. A true professional – well done matey!

Debtanu Biswas

Coca-Cola was supposed to be a medical remedy.
Play-Doh was supposed to be wallpaper cleaner.
Kotex was supposed to be used for healing and dressing wounds during World War I.
Chocolate chip cookies were a dessert recipe gone wrong.
All these were Inventions Created Entirely By “Accident”. Inventions are not accidents they are hard work which many people (read reporters) don`t get.

As a retired IT professional, I really appreciated this clear and not too technical description. Many thanks, and well done for a phenomenal job.

Himanshi Grover

I do wanted to ask as i am also intrested in gathering all the knowledge regarding the analysis of malware files.
My few of the queries.
1. How do you collect these samples.(i want to collect adware files and as well as latest malware files)
2. How to create a sandbox environment in which you had executed malicious files.
3. What should be the system configurations( tweakings) in order not to be detected as a testing system by the malware file .

Waiting for the positive response.

Sebastian Jablonowski

You guys need a donate button, since we need to buy you a beer 😀

Nicolas Reid

A bitter irony is that following the advice of immediately disconnecting your infected systems and network from the internet, also makes it impossible for the malware to see the killswitch.

Michael

The way I understand the code it’s checking the domain before infecting (or not)

If you were already infected it would be too late anyway

Danny

Resulting from his past experience, he cut the slice very quickly. So maybe unconscious mind work but not accidental.

D3 Solutions

Most of people doing some things accidentally and became heroes. Anyhow that’s not matter for us. We must salute them for tribute to rescue our world

Lim Quan Heng

Kudos to you, the result might be termed “accidental” but the professionalism was not.

Zer0sec

lol I don’t buy this, the creator wouldn’t go through this much risk and trouble not owning a domain he couldn’t manage via dns. Sounds to me like you created it from the start. What was the domain? Let’s look the domains registration history.

Ron Sexton

All technical people make educated guesses based on past experience. You can label it luck or an “accident” or whatever you want but it is a product of experience and expertise. It doesn’t always work out but there is no other way to operate in this environment when confronted with newly emerging threats like this.

Adam Metselaar

what ever you did and how you did it may i kiss youon all four cheeks

Adam Metselaar

now find theses people fast before they learn and make a better one next time

Lucy Couch

Dont care if it was an accident or not or understand the details of how you did it, you just did, this means patients can continue to have life saving operations and procedures and for that I think hero yes x

Cloudmonkey98

The Malware pings an empty site when it boots up to make sure its not in a digital test tube of sorts, and expects a failed ping, if the setup is like this “test tube” the ping will come back, but off the wrong IP, if the malware gets a ping back of any kind, it thinks its trapped and commits suicide, by buying up the site, and thus making it send back pings, the malware now always thinks its trapped, and most copies committed suicide, thus saving tons of places horrendous amounts of grief over this shit

Carlos Gonzalez

I’m not sure if you’re the drinking kind, but you sir, deserve however many pints you’d like for this awesome serendipity! Being in the IT field, we were hoping for the best and prepping for the worse!

Kang Nayeon

That was really cool!!

Reini Urban

I rather think the ransom dev was pretty stupid checking for a valid domain name, and not just some randomjunk.local name, added to his /etc/hosts file for sandbox testing. You wouldn’t be able to register that name.

Odilon Marcenaro

Expertise, logic and balls of steel. The world owes you a debt of gratitude!

Mustaque

You are awesome man.. Keep doing the great work…

Stef

Hello, I was wondering, does that mean that people behind fake dns would have protected even without you registering the site ?
And could a firewall/whateversecuritytool redirect every adress registred site to a fake/local addresse like 127.0.0.1 to make the malware believe they are being studied ?

Someone just beat the hell out of a ransomware apocalypse and you guys are arguing over the term ‘accident’. Please, comment something useful for a change. And perhaps… i don’t know… be grateful or something.

Johnny Schuetten

Amazing job. Whatever happened “accidentally” in the beginning, the extraordinary mission was to follow up and not getting tired (not even talking about sleep ;-)) until getting to the gist of the matter and drawing the right conclusions. A real professional.
Hats off!

H. Keith Henson

Thank you very much for stopping this thing. I was in a hospital not long ago and without their computers, the doctors and staff would be lost.

Paul Littlebury

Impressive report, very useful – thanks! 🙂 Regardless of accident or not, it was your actions that had positive effect.

Dilan Rumesh

#Great work #Thanks form Sri Lanka

Helen Willan

Thanks for saving untold numbers of man hours across the globe; and being so modest about it

Nick Vertes

You Sir are a Gentleman – thank you on behalf of all the people who would have been infected (and then I would be the one without the sleep 🙂

Todd Crawford

I am a new Computer Science student. Any help is appreciated. What is a C2 domain? What programming language is that? I am only familiar with Python right now. As “accidental” as that was…it’s bloody brilliant.

swattz101

C2 is Command and Control. It’s what the malware reaches back to for instructions or to report on success / failure.

disqus_ykznXtqnuv

I could be wrong, but it looks like C.

Brain Codec

Accidental or not, you’ve done a great job! My congratulations.

Karl Hamner

I didn’t understand any of that on a technical level, but thanks for defending civilization. We’d be screwed without the watchers on the wall.

Cloudmonkey98

Malware infects things, malware checks its not secretly in a digital test tube by pinging an empty website, if it gets a response as if the website exists, it commits suicide, this dude got that website as part of his standard procedure for working against the malware, and unintentionally killed off almost all of it then and there, and only realized it later once they started cracking open the code

Brigitte Schrijvers

Most geniuses find the biggest solutions of mankind by accident. Great job.

Paolo Malnati

From the screenshot, the malware appears to allow a ‘trial decryption’ which means the private key should be in RAM for a short time. I guess this could allow decryption without paying the ransom if another process read the value from memory? Is that possible?

Rzhtm Cuatro

i would think they have trial-decryption keys. But yeah, if they happened to use the same keys for both, you can get the keys from RAM (not an easy job but doable).

Hail MT.
I was expecting something like this on the internet and I warned who I considered that needed to be warned in advance, Of course, the general attitude I met with was “yeah, right…”. At responses like that, I returned to other activities. I didn’t dig into this one, good thing you bothered to. I myself am tired of organizations that don’t care until it’s too late. I removed conficker on my own from a company with 1k computers before any official fix was available. They, of course, didn’t had anything patched and ignored multiple warnings about the possibility of something like that….and they didn’t even brought me a beer after. Today is no different. So I’d rather do other types of research (non-IT&C) instead of helping those that don’t practically care.

Good job again MT for gathering all this info about it.

About the authors ? Well, it’s not Russians, Chinese or Aliens. So go figure. 😀

this is all against bitcoin, to stop and ban the bitcoin, coz these people are asking money through bitcoin, and all ilegal business is done through bitcoins , so i say, its done by top government secret agencies and banking sectors, just to stop bitcoin

Ryan Radford

Silly question, what’s to stop them from using another domain?

Cloudmonkey98

Nothing, but they’d need to whip up a new batch of malware with either no check, or a check at another empty domain, and thats time security folks like our buddy in the article can spend working on defenses and detection methods against this particular style of ransomware

Black Spot

Thank you. As one who has battled the bots and infections in times past, I salute you. Carry on being awesome.

Naomi Summers

Congrats and thanks to everyone that saved the nhs servers and stopped thousands of needless blood and xray retests

Santa Claws

Whenever​ people say “millianials suck” I am going to send thier this link. You sir are a badass

Amadeu Alexandre

Crazy media, they should do the accidental work. Well done to MalwareTech team.

MrOther

If I had registered this (long & complicated?) domain name for a business I was setting up, that would have been an accident. This was apparently more of a happy outcome from a well-informed shot in the semi-darkness.

You had a procedure, and you followed it. This resembles the pre-flight checklist that grew from the crash of the B-17 prototype.

Sebastian Nielsen

I don’t think it was a anti-analysis thing. I think it was really a kill-switch, hence the long “password-like” domain name. My theory is that the malware creator wanted a ability to bail out in case the creator noticed he was being traced. To avoid that the domain itself gets traced or shut down, he didn’t register it. And in the event of a “emergency”, the malware creator wanted to be able to shut down all C&Cs. But the problem would then be that the malware would become file-destroying instead of file-encrypting if the C&Cs were shut down. Thus the malware creator added a kill-switch domain that could instantly be registred from a anonymous IP, and then pointed at a random live HTTP server, to cease the malware spread before hitting the stop button on the C&Cs.

vs777

still, it doesn’t make very much sense to query a dummy domain. What’s the point? Prevent infecting of the sandboxes?

Cloudmonkey98

A sandbox would mean its contained, such as in an Anti-Virus’s Quarantine, and if it ran full and true in such a situation, it would be in a controlled situation, and thus much easier to analyze, its an anti-analysis method

Accidentally Stop a Global Cyber Attacks, Nice, I m not expert to answer. But, telling Accidentally you stopped from your side

EmoCore Zurc

a Hero indeed!!! Kudos sir.

Abhishek Purohit

Accident.. no way… its a hit and trial method to begin with to see the changes… great work. 🙂

Andrea

Compliments!

Jailton Junior

Awesome job!
Congratulations

Christophe Mathieu

Good analizis, good explanation, thanks for sharing !

donvitocorleone

Excellent stuff! As usual, the media do not get it.

Nisanth Dutu

Thats a good stop.

Nisanth Dutu

He smartly put this website “Under Attack” mod. 🙂

Thorium_Bromine

You’re free to fly away now, Captain.

Illogical Logic Gate

Indeed, well done!

Furious Furian

Great work!

Zykciv.deviantart.com

without you, this virus will be bigger than World War III, thanks. kkkk

Jaime Fernández-Caro Belmonte

Great article. Congrats for your findings!

Oda Nobunaga

It may be “accidental” that it worked so well, but it worked because you have good, well thought out routines. And that is not accidental.
Cheers mate!

Maq_Ecosse

Great work and great post ) question thou, does anyone know a workaround for W2K servers where antivirus signature is a year old (no more updates) and the SMB setting can’t be disabled (I know I know they’re out of support – just asking)?

Amy Smith

Well done! for killing the worm. Good luck with all the attention you’ll get now hah!

Felipe Barone

Well done!

Lucien

Dear You,

I give you a better answer concerning your statement <> :

TO MY MIND, this domain is a switch that inhibited the payload for some time, allowing the virus to spread out to many computers without being detected, and then at a given time all viruses would activate simultaneously – thus the name of the macro “detonate”. Check when the domain was last unregistered, who was the previous owner…
But your analysis of the code will tell you if my opinion is true or not !
Thanks for your detailed explanation of what happened, it fulfilled my curiosity.
Lucien.

Nicolas Blois

Thanks for sharing this story. CONGRATULATIONS Dude 🙂

Jonathan Doe

You’re still a cuck

Jenska

Honor is due. truly a professional effort and outcome. Accident? Only in the sudden affect, not the process or the people involved. You make your own luck, in time these people would have reached the right conclusion anyway, taking the path they did. Excellent not-to-technical write-up.

Minh Vũ Hoàng

They spread to Vietnam! I can not think about this, if the wannacry virus is spread, how will information technology work?

Cauê Henrique

Congratulations for this brilliant job!!!

Chintan Kalkura

Congratulations on the brilliant job done, mate!! U are deservedly the modern day Batman.

Infinityape

Kicking Arse, sometimes means, tripping over a rock, in order to knock them out!

Alberto Hernandez

Awsome only people like you two can see that. Thankyou

jojokaka

Did this ransomware attack Linux systems? Are they vulnerable?

Robert Morales

Well done on the DNS sinkhole i:) i wish i could have a mentor who taught all of this

Nicely done young man! We’re proud of you on the other side of the pond, KUDOS!!

Brian Teller

Any reason the domain isn’t being shared in this post?

Benj

Curious if there was a reason you registered the domain (beyond knowing the malware was connecting to it) that you didn’t document above? If not, it’s a little concerning the professional approach (with what was still effectively a black box at that point) is to register the domain without knowing if this will make things better or worse.

Ted LeRoy

Great work Malwaretech! In doing your normal routine, you greatly slowed what would likely have been a catastrophic sweep across the globe of this malware. Glad you’re doing what you do!

Maicon Vieira

Well done,

Julian Ellison

Brilliant work. Thank you.

Omar Villa

I think is good instinct not an accident, I seen this before in numerous problems, some how we fix issues without knowing exactly what it is behind the issue but experience and gut tells us is the right thing to do and we take a risk and make a fast decision which is what good troubleshooters do, with very little data they fix big problems “on the fly” which is not an accident is pure solid experience and good knowledge of the technology and your self.
Congrats on the great finding

Rich64

Everything has been said. But I will say “Great Job. Many thanks for your diligence to keep us all safe.

loop909

Dude, you should really set up some sort of Tip-Jar, paypal, Patreon, Something! I would donate some money, b/c what you did is badass – has it sunk in yet, that this was a world-wide thing? and you saved the day.

This write up is currently on the front page of news.ycombinator -hacker news-.

You’re amazing my man. I heard about you through Philip Defranco. And I Have a background in Computer Tech, so u know what you did is nothing short of amazing. I’m especially thankful because quite a few of my family members refuse to upgrade from older Windows models due to comfort with their current settings, so you probably helped my family personally. Thanks. And we know you’re a true hero. Not like some other media who have tried to discount and minimize you.

Arindam Majumdar

Put your bitcoin address here. People will be happy to donate small amounts to the savior.

Boba Saget

How the fuck is this stuff actually spreading? Is everyone getting an email asking them to open a trapped word document? If I have an unpatched computer connected to the internet and just sit there will the virus magically appear somehow? Does the user have to allow an executable to run or not???! Seriously, how come NOBODY is asking for this BASIC information and NOBODY has written up the answer?
What a fucking joke.

swattz101

We don’t know how the initial attack started, most likely through Spam/Phishing, Watering Hole attack or the usual method. But once a system on your network gets infected, it spreads by connecting over SMB (standard windows file-shares). The malware runs a scan on your local subnet looking for any computers that your user credentials have access to over port 445. Then it looks for any mapped network drives.

Jacky

Strange Apple behaviour. We noticed yesterday that a fair number of our apple devices started sending traffic to a hand full of bogon IP addresses​… Most common being 100.100.129.90 on port 445. what intrigues me… Is that this is the first time ever we see this behaviour… And it starts on the 12th may… Traffic load is not major… But the number of connections seems to mimic the graphs of wcry active infections.

I know there are any of 5 million possible causes for this… But i am curious if anyone else has noted this behaviour.

Personaly i admire the coordination between you guys in being able to circumvent around the issues, plunging where it needed be plunged and reverse engineering code to understand what was going on, its really admirable…

Russell Page

Ok, so you accidently stumbeled on the solution to stop it (Isac Newton was hit by an apple, and look what came of that).
You still deserve the Praise & Thanks of most ofthe worlds IT Systems. What a thing to put on your CV “I Save the World from a Cyber Attack, not just a Company, or a Global Organisation. THE WORLD.
I would like to say “Thank You”.
Russell MInstRE

Hey Guys i have discovered wanacry resolver (#Windows 10)
Just update Tour Windows 10 to the latest build 1703 or more!!!!!
this version of windows10 is inbuild with #wanacry malware!!!!!!

Tab Lynn

Thank you for the in depth explanation! It has given me great insight as a security analyst. Great work by you and your team. I would be extremely proud of myself. What an awesome day!

Michael H.

Keep up the great work!

Christopher Kubeck

/salute Malware Tech.

BTGuy

Trouble is, now that this has made such public news, virus makers will make sure to better check for sandboxing (for instance, checking multiple domains as mentioned in MalwareTech’s post) and may even start using the domain registration as a trigger just to capitalize on the assumptions made by malware researchers during analysis. What if registering the domain escalated the level of the threat?

Not trying to belittle the great work done by MalwareTech (and others) or results in this instance. Job well done!

VANIA

Thank you for everything you do.

albvar

Great work! World needs more guys like you, passionate and smart. Having a beer for you my friend.

Alan Zhou

I thought it was quite impressive… It was all over the news!

Peterson

In order to send spam mail hackers need our mail adresses, how they find them?

Great explanation! I’ve followed you on twitter to understand more of these, hopefully I learn a lot of things.

Kamran Ameli-Zamani

Feel free to sport a cape; external underpants optional

Marcos Vinicius Fraga Menezes

Hey man,

Excellent job and presence of mind.

Brandon S. Brandon

Marcus, I just sent you an email requesting an interview on Digital Village Radio, Los Angeles’ oldest public radio show covering the future of science and technology.

Tarkin Smith

You sir are a professional. You did amazing work and it really shows what kind of human being you are for declining the fame and donating the money to charity. I think most of us would have at least kept the money. Still amazing work.

Maybe the word we are looking for is Inadvertently and not Accidentally.

anne bonny

I’m confused here, is this a technical discussion about the take down of a malicious trojan or the gender of the technician that did? Personally I’m less concerned about the his gender and more interested in what he dd and how he did it. This is not a safe space, this is a tech article so go back to your hide-y holes,grab your colouring books and hug your emotional support dogs.

Now what is really amazing is how such a dangerous piece of malware is so poorly written, only checking one domain; not that I’m complaining.

Eduardo Forero

BRAVOOOO.. great job.! thanks a lot.

Marcus Weiss

Just imagine if by checking the domain, instead the virus would enter a “terminator-phase”, deleting all content previously encrypted? Instead of saving people you would have damaged them a bit further. It’s like in those movies where the guy trying to cut the wire to disarm a bomb ends up speeding up the process. Hahaha. But of course, you knew this was a normal behavior among these things. 🙂

SallyDJ

Coming late to this thread, I note that approximately the first 10 posts address the article, after which they rapidly degenerates into a gender war. Do you all REALLY care that much? I have much better things to do with my time than trawl through all this irrelevance (and bad language) and I would have hoped that professional people such as yourselves would have too.

The article was well written,. Shame the same can’t be said about its title. (What is .”..a Global Cyber Attacks?”) Answers – if you must – on the back of a self-addressed email. As for the ‘Accidental’ aspect, it is quite clear that having noted the unregistered domain, procedure was followed in registering it, Not an accident. It was, however, fortuitous that merely registering it was sufficient to halt further attacks. It may have required a specific response from the domain to the worm to halt it, or to activate it, but not taking possession of the domain would have achieved nothing: infection would have continued. Possessing the domain also allowed harvesting of IP addresses which were infected but halted, which could be passed on to authorities as stated in the article. Failure to take the domain could also have severely hampered or delayed any deactivation exploit based soley on decoding the worm.

No-one seems so far to have pointed out that the status of the worm as outlined above is ‘HALTED’. It is not KILLED or REMOVED. There still needs to be a cleanup before all data is safe, and some form of effective patch to catch any variants.

Good on Microsoft (not lightly said!) for issuing some upgrades for older obsolete systems too. Many out there dismiss XP and such as junk and deserving everything it gets (in a bad way.) But, a very large portion of industrial machinery runs on such systems and cannot be upgraded because the programs they run are bespoke and will fail.

I’m glad that you’re doing well and keep fighting 🙂
Rather some very nice, fat thing you figured out here^^
Luckily our company haven’t been hit yet…and some people there quickly delivered a patch with our machine software…
Keep up that work! Wish you the best 😉

Kind regards
Microwave89

KennChester

Registering the domain and maintaining the sinkhole server to continue working was a nice idea. Good thing that the worm did not have any algorithms to reroute the DNS it was attempting to ping to continue spreading. Dick move by the worm devs…

“In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it were registered (which should never happen).”

Back in the 80’s I was working for an officer with MS-DOS machines making use of the fledgling ARPANET (and no, I do not remember Al Gore being in any way connected with it ;)). Captain James told me that the most dangerous thing you can ever do with your computer is to put it on a network. The Prophet James was quite correct… and still is.